[Cryptography] Passwords are dying - get over it

Joe St Sauver joe at oregon.uoregon.edu
Mon Dec 23 10:48:35 EST 2013 

Hi,

Kent commented:

#People love to say passwords are dead, but any alternate proposals they 
#might suggest always seem worse to me.

And that's certainly consistent with the adoption rate we see for 
alternatives to passwords, at least when users are choosing based 
on ease-of-use/convenience, rather than the fully panopoly of 
considerations (including things like the security of the 
non-password-based authentication technology).

#Google seems to have the biggest head of steam by trying to become the 
#single sign-in for everything else, 

Among OpenID providers, Google's certainly the leader (Janrain 
quotes their market share at 38%), but Facebook is non-negligible 
at 27% and Yahoo's still in the race at 14%, see 
http://janrain.com/blog/what-are-most-popular-networks-social-login-and-sharing-web/
(as quoted by me on slide 53 of 
http://pages.uoregon.edu/joe/maawg-id-mgmt/maawg-id-mgmt.pdf )

Of course, there are alternatives to OpenID, including CAS and 
Shibboleth, both popular in higher ed and some government 
contexts (e.g., the Federal GFIPM project, http://www.gfipm.net/ , 
for example).

#and then, because they are so important they can force you to carry a 
#Bsafe fob, or something like that.  Actually, they probably won't go 
#for a fob...

In Google's case, it's pretty clear that they're putting their 
bet on smart phones as their 2nd factor/2nd channel of choice. 
(See http://www.google.com/landing/2step/ )

I've got a page that lists a variety of phone-based two factor
authentication options at http://pages.uoregon.edu/joe/phone-2fa.html
(if I've inadvertently overlooked anyone, please let me know and
I'd be glad to add them to that page)

#Instead Google is working hard to know everything about me, and that is 
#key to their security solution: they will know I am legit when I log in 
#because they will know it is me because they have been following me.  

A consideration to be aware of with OpenID is that not only 
will the OpenID provider know "everything" about you, the 
relying parties will ALSO get to know a surprising amount 
about you, courtesy of what gets shared by default with the 
relying party (although this can vary from identity provider 
to identity provider, see slides 56-59 of the slide deck 
mentioned above)

SAML-based solutions (like Shibboleth), on the other hand, 
support fine grained attribute release policies, but in 
that case, bilateral negotiation of attribute release 
policies (beyond minimal default attribute release
policies) may hinder global scaling properties.

#Or something like that, they don't exactly know how it will work, but they 
#are getting good at recognizing login patterns and being confident I am 
#me based how and where I login.

You're really talking about risk-based authentication.

It may be key to keeping folks from going nuts as a 
result of better-than-password technologies: if 
someone's doing something they always do, from 
where they always do it, when they always do it, and 
the trasaction's low risk anyhow, let them. On the 
other hand, if they're doing something unusual, 
from somewhere odd, at an uncommon time, and the 
transaction is "significant" (typically high 
dollar value, or security-sensitive), be careful 
and require stronger authentication.

The down side of that approach, from my POV, is that
it adds unpredictability to my logins -- maybe I'm
prone to forgeting my smart phone at home, and 
normally I can get away with it because I'm rarely
asked to do step-up authentication, but then bang,
once in a blue moon I might need it to login... ugh!

Regarding use of a simple notebook as a password 
cache, Kent observed:

#(And don't bring the whole notebook when 
#traveling internationally, maybe leave it with someone trusted whom you 
#can phone.)

That's one good recommendation, but not the only one
you should be thinking about if you're traveling
internationally.

The Higher Education Information Security Council (HEISC) 
has collected a variety of recommendations related to 
international travel and cyber security; if interested, 
see: "Security Tips for Traveling Abroad",
https://wiki.internet2.edu/confluence/display/itsg2/Security+Tips+for+Traveling+Abroad

Merry Christmas/Happy New Year,

Regards,

Joe

More information about the cryptography mailing list